Ransomware usually infects a computer when a user opens a phishing email, and although such emails have been alleged to be used to infect machines with WannaCry,[20] this method of attack has not been confirmed. Once installed, WannaCry uses the EternalBlueexploit and DoublePulsarbackdoor developed by the U.S. National Security Agency (NSA)[21][22] to spread through local networks and remote hosts[23] which have not installed recent security updates, to directly infect any exposed systems.[5][24] A “critical” patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack,[25] but many organizations had not yet applied it.[26]

Those still running exposed older, unsupported operating systems such as Windows XP and Windows Server 2003, were initially at particular risk but Microsoft has now taken the unusual step of releasing updates for these operating systems for all customers.[3][27]

Shortly after the attack began, a web security researcher who blogs as “MalwareTech”, unknowingly flipped an effective kill switch by registering a domain name he found in the code of the ransomware. This slowed the spread of infection, but new versions have now been detected that lack the kill switch.

Starting from 21 April 2017, security researchers reported that computers with the DoublePulsarbackdoor installed were in the tens of thousands.[40] By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.[41][42] Apparently, DoublePulsar was used alongside EternalBlue in the attack.[43][44]

On 12 May 2017, WannaCry began affecting computers worldwide.[46] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[47] When executed, the malware first checks the “kill switch” domain name.[a] If it is not found, then the ransomware encrypts the computer’s data,[48][49][50] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[51] and “laterally” to computers on the same network.[52] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.[49][53]

Organizations that had not installed Microsoft’s security update were affected by the attack.[36] Those still running the older Windows XP[54] were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014).[3][55] However, the day after the outbreak Microsoft released an emergency security patch for Windows XP.[3]

According to Wired, affected systems will also have had the DoublePulsar backdoor installed; this will also need to be removed when systems are decrypted.[6]

Three hardcoded bitcoin addresses, or “wallets”, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown.[56] As of 17 May 2017, at 2:33 UTC, a total of 238 payments totaling $72,144.76 had been transferred.[57]

The ransomware campaign was unprecedented in scale according to Europol,[8] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Labs, the four most affected countries were Russia, Ukraine, India and Taiwan.[10]

The attack affected many National Health Service hospitals in England and Scotland,[58] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[59] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[13][60] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[54] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[11][13]

The attack’s impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had an anonymous security expert, who was independently researching the malware, not discovered that a kill-switch had been built in by its creators[63][64] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[65][66]

Several hours after the initial release of the ransomware on 12 May 2017, while trying to establish the size of the attack, Marcus Hutchins,[67] a researcher who blogs under the handle @MalwareTech,[68] accidentally discovered what amounted to be a “kill switch” hardcoded in the malware.[69][70][71] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer’s files if it was unable to connect to that domain, which all computers infected with WannaCry before the website’s registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere. Analysis of the kill switch suggested that it may in fact be a bug in the malware whose code was originally intended to make the attack harder to analyse.[72][73][74][75] However, the kill switch domain needs to be available locally, and the response must be able to reach the malware to effectively work. Some network configurations may prevent the kill switch from working.[76]

Microsoft released a statement recommending users install update MS17-010 to protect themselves against the attack.[3] In an unusual move, the company also published security patches for several, for the general public now-unsupported versions of Windows, including Windows XP, Windows 8 and Windows Server 2003.[3]

On 16 May 2017, researchers from University College London reported that their PayBreak system is able to defeat WannaCry and several other families of ransomware.[77]

Several experts highlighted the NSA’s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, [the attack] may not have happened”.[78] British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”. He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries’ citizens.[79] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[80]

Others commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[64] Microsoft president and chief legal officer Brad Smith wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”[81][82]

Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations stated that “the patching and updating systems are broken, basically, in the private sector and in government agencies”.[64] In addition, Segal said that governments’ apparent inability to secure vulnerabilities “opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security”.[64]

A number of experts used the publicity around the attack as a chance to re-iterate the value and importance of having good, regular and securebackups, good cybersecurity including isolating critical systems, using appropriate software, and having the latest security patches installed.[83]